Use the following log types for SMS message logging.
SMS System
| Field | Type | Max size | Description |
| facility | integer | 11 | Appears to always be 0 |
| formattedTime | date string | 15 | MMM dd HH:mm:ss, ex. Mar 20 02:02:48 |
| logID | long | 20 | SMS system log entry identifier |
| message | string | 1024 | System log message |
| severity | integer | 4 |
Severity of the entry:
1,2 – Info
3 - Warn
4 – Error
5 - Critical
|
| time | long | 20 | System log entry timestamp in milliseconds |
SMS Audit
| Field | Type | Max size | Description |
| clientIpAddress | String | 39 | Source address of the client that generated the audit entry. |
| clientPort | Integer | 11 | Port of the client that generated the audit entry. |
| description | String | 1024 | Audit message. |
| index | Long | 20 | SMS audit log entry identifier. |
| sessionID | Integer | 11 | SMS identifier for the user session that generated the audit entry. |
| status | String | 300 | Success, fail |
| time | Long | 20 | Audit log entry timestamp in milliseconds. |
| userName | String | 150 | Name of the user. |
Device System
| Field | Type | Max size | Description |
| component | String | 12 | Component area of the device that generated the system log entry. |
| deviceID | Integer | 10 | SMS identifier for the device. |
| deviceName | String | 63 | User-provided name of the device that system log entry was received from. |
| index | Long | 20 | SMS device system log entry identifier. |
| message | String | 65.535 | System message. |
| messageCode | Long | 10 | |
| sequence | Long | 20 | Device system log entry identifier. |
| severity | String | 32 | INFO, WARN, ERR |
| time | Long | 20 | System log entry timestamp in milliseconds. |
Device Audit
| Field | Type | Max size | Description |
| accessLevel | string | 13 | Unknown, Operator, Administrator, Super User, SMS |
| component | string | 12 | Component area of the device that generated the audit entry |
| deviceID | integer | 10 | SMS identifier for the device |
| deviceName | string | 63 | User-provided name of the device that audit entry was received from |
| index | Long | 20 | SMS device audit entry identifier |
| interface | string | 7 | Device interface type that initiated the audit entry |
| ipAddress | IP Address | 39 | Source address of the interface that generated the audit entry |
| message | string | 65,535 | Audit message |
| result | String | 4 | PASS, FAIL |
| sequence | Long | 20 | Device audit entry identifier |
| time | Long | 20 | Audit entry timestamp in milliseconds |
| user | String | 128 | Name of the user |
Snort Syslog Format MARS [Deprecated]
| Column | Description |
| 0 | Date (timestamp) |
| 1 | Device identifier |
| 2 | SID |
| 3 | Filter name |
| 4 | Classification |
| 5 | Priority |
| 6 | Protocol (TCP, UDP,
ICMP, and IP) |
| 7 | Source address |
| 8 | –> (indicates direction of traffic flow: source –> destination) |
| 9 | Destination address |
Snort Syslog Format V2 [Deprecated]
| Column | Description |
| 0 | Device identifier |
| 1 | SID |
| 2 | Filter name |
| 3 | Classification |
| 4 | Priority |
| 5 | Protocol |
| 6 | Source address |
| 7 | –> |
| 8 | Destination address |
SMS 2.0/2.1 Syslog Format
| Column | Description |
0
|
Syslog category —
“<32>” — defined facility and severity
|
1
|
Action type — 7 is
Permit, 8 is
Block, 9 is
P2P
|
2
|
Severity — 0 is
Normal, 1 is
Low, 2 is
Minor, 4 is
Critical
|
3
|
Policy UUID — TippingPoint UUID for policy |
4
|
Signature UUID — TippingPoint UUID for signature |
5
|
Signature name — user-friendly name for signature and policy |
6
|
Signature number |
7
|
Signature protocol — protocol of
signature (IP, UDP,
TCP, HTTP, etc.) |
8
|
Source address |
9
|
Source port |
10
|
Destination address |
11
|
Destination port |
12
|
Hit count — number of attacks during aggregation period |
13
|
Device slot — this slot can be
3,5,7,8
|
14
|
Device segment — device segment of above slot that got event |
15
|
Device name — user-friendly name of the device event was received |
16
|
TippingPoint Taxonomy ID — category ID assigned to the signature |
17
|
Event timestamp in milliseconds |
18
|
Additional comments about the event |
19
|
Sequence number of the event in the SMS |
SMS 2.5 Syslog Format
| Column | Description |
0
|
Syslog category —
“<32>” — defined facility, and the
severity |
1
|
Action type — 7 is
Permit, 8 is
Block, 9 is
P2P
|
2
|
Severity — 0 is
Normal, 1 is
Low, 2 is
Minor, 3 is
Major, 4 is
Critical
|
3
|
Policy UUID — TippingPoint UUID for policy |
4
|
Signature UUID — TippingPoint UUID for signature |
5
|
Signature name — user-friendly name for signature and policy |
6
|
Signature number |
7
|
Signature protocol — protocol of
signature (IP, UDP,
TCP, HTTP, etc.) |
8
|
Source address |
9
|
Source port |
10
|
Destination address |
11
|
Destination port |
12
|
Hit count |
13
|
Source zone name |
14
|
Destination zone name |
15
|
Incoming physical port |
16
|
VLAN ID |
17
|
Device name — user-friendly name of the device event was received |
18
|
TippingPoint taxonomy ID — category ID assigned to signature |
19
|
Event timestamp in milliseconds |
20
|
Additional comments about the event |
21
|
Sequence number of the event in the SMS |
ArcSight CEF Format v3.5 [Deprecated]
Use this format type to send events to an ArcSight connector. This format
type does not support IPv6.
| Column | CEF key name | Description |
0
|
CEF
|
CEF header (Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|) |
1
|
app
|
Application protocol |
2
|
cnt
|
Base event count |
3
|
dst
|
Destination address |
4
|
dpt
|
Destination port |
5
|
act
|
Device action |
6
|
cn1
|
Device custom number 1: VLAN tag |
7
|
cn1Label
|
Device custom number 1 label |
8
|
cn2
|
Device custom Number 2: taxonomy ID |
9
|
cn2Label
|
Device custom number 2 label |
10
|
cn3
|
Device custom number 3: packet trace |
11
|
cn3Label
|
Device custom number 3 label |
12
|
cs1
|
Device custom string 1: profile name |
13
|
cs1Label
|
Device custom string 1 label |
14
|
cs2
|
Device custom string 2: policy UUID |
15
|
cs2Label
|
Device custom string 2 label |
16
|
cs3
|
Device custom string 3: signature UUID |
17
|
cs3Label
|
Device custom string 3 label |
18
|
cs4
|
Device custom string 4: zone names |
19
|
cs4Label
|
Device custom string 4 label |
20
|
cs5
|
Device custom string 5: device name |
21
|
cs5Label
|
Device custom string 5 label |
22
|
cs6
|
Device custom String 6: message parameters (IP address of Reputation filter matches) |
23
|
cs6Label
|
Device custom string 6 label |
24
|
src
|
Source address |
25
|
spt
|
Source port |
26
|
externalID
|
External ID (event ID) |
27
|
rt
|
Event time |
28
|
cat
|
Device event category |
29
|
proto
|
Transport protocol |
30
|
deviceInboundInterface
|
Device inbound interface (physical port in) |
ArcSight CEF Format v4.1 [Deprecated]
Use this format type to send events to an ArcSight connector. This format
type includes HTTP context information and supports IPv6.
| Column | CEF key name | Description |
0
|
CEF
|
CEF header (Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|) |
1
|
app
|
Application protocol |
2
|
cnt
|
Base event count |
3
|
dst
|
Destination IPv4 address |
4
|
dpt
|
Destination port |
5
|
act
|
Device action |
6
|
cn1
|
Device custom number 1: VLAN tag |
7
|
cn1Label
|
Device custom number 1 label |
8
|
cn2
|
Device custom number 2: taxonomy ID |
9
|
cn2Label
|
Device custom number 2 label |
10
|
cn3
|
Device custom number 3: packet trace |
11
|
cn3Label
|
Device custom number 3 label |
12
|
cs1
|
Device custom string 1: profile name |
13
|
cs1Label
|
Device custom string 1 label |
14
|
cs2
|
Device custom string 2: policy UUID |
15
|
cs2Label
|
Device custom string 2 label |
16
|
cs3
|
Device custom string 3: signature UUID |
17
|
cs3Label
|
Device custom string 3 label |
18
|
cs4
|
Device custom string 4: zone names |
19
|
cs4Label
|
Device custom string 4 label |
20
|
cs5
|
Device custom string 5: device name |
21
|
cs5Label
|
Device custom string 5 label |
22
|
cs6
|
Device custom string 6: message parameters (IP address of Reputation filter matches) |
23
|
cs6Label
|
Device custom string 6 label |
24
|
src
|
Source IPv4 address |
25
|
spt
|
Source port |
26
|
externalID
|
External ID (event ID) |
27
|
rt
|
Event time |
28
|
cat
|
Device event category |
29
|
proto
|
Transport protocol |
30
|
deviceInboundInterface
|
Device inbound interface (physical port in) |
31
|
c6a2
|
Source IPv6 address |
32
|
c6a3
|
Destination IPv6 address |
33
|
request
|
URI string |
34
|
requestMethod
|
URI method |
35
|
dhost
|
URI host |
ArcSight CEF Format v4.2
Use this recommended format type to send events to an ArcSight connector.
This format type includes HTTP context information, TCIP/XFF client IP, and user
information.
| Column | CEF key name | Description |
0
|
CEF
|
CEF header (Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|) |
1
|
app
|
Application protocol |
2
|
act
|
Flow control of the filter |
3
|
c6a1
|
Client IPv6 address |
4
|
c6a1Label
|
Client IPv6 address field label |
5
|
c6a2
|
Source IPv6 address |
6
|
c6a2Label
|
Source IPv6 address field label |
7
|
c6a3
|
Destination IPv6 address |
8
|
c6a3Label
|
Destination IPv6 address field label |
9
|
cat
|
Filter name category |
10
|
cn1
|
Device custom number 1: VLAN ID |
11
|
cn1Label
|
Device custom number 1 label |
12
|
cn2
|
Device custom number 2: taxonomy ID |
13
|
cn2Label
|
Device custom number 2 label |
14
|
cn3
|
Device custom number 3: packet trace |
15
|
cn3Label
|
Device custom number 3 label |
16
|
cs1
|
Device custom string 1: profile name |
17
|
cs1Label
|
Device custom string 1 label |
18
|
cs2
|
Device custom string 2: profile UUID |
19
|
cs2Label
|
Device custom string 2 label |
20
|
cs3
|
Device custom string 3: filter signature UUID |
21
|
cs3Label
|
Device custom string 3 label |
22
|
cs4
|
Device custom string 4: zone names (source and destination) |
23
|
cs4Label
|
Device custom string 4 label |
24
|
cs5
|
Device custom string 5: device name |
25
|
cs5Label
|
Device custom string 5 label |
26
|
cs6
|
Device custom string 6: filter message parameters (IP address of Reputation filter matches) |
27
|
cs6Label
|
Device custom string 6 label |
28
|
cnt
|
Event hit count |
29
|
deviceInboundInterface
|
Physical port in |
30
|
dhost
|
Host name of the URI |
31
|
dntdom
|
Destination domain name |
32
|
dpt
|
Destination port |
33
|
dst
|
Destination IPv4 address |
34
|
duser
|
Destination username |
35
|
dvchost
|
Device name |
36
|
externalId
|
Event ID |
37
|
proto
|
Network protocol |
38
|
request
|
URI string |
39
|
requestMethod
|
URI method |
40
|
rt
|
Event time stamp |
41
|
sntdom
|
Source domain name |
42
|
sourceTranslatedAddress
|
Client IPv4 address |
43
|
spt
|
Source port |
44
|
src
|
Source IPv4 address |
45
|
suser
|
Source user name |